Some apps do more harm than good. And “free” apps often come with hidden costs. These tenets hold as true for education apps as they do for those in the consumer market, privacy experts contend.
A recent New York Times investigation found that many companies receive such precise, extensive data on their users that they—and anyone else they share this information with—could easily identify a single individual and pinpoint their location. That user data is often sold to or shared with other companies, such as advertisers who have a vested interest in behavioral data, and it’s not as anonymous as people think. This is how many free apps monetize.
Every time users click “allow” when an app asks them to enable location services or provide access to their contacts, microphone or folders, they are potentially making a transaction: sharing their personal information in exchange for using the app.
Yet few users read the fine print—let alone students, as researchers have found. Today, the Apple app store alone features more than 75,000 education apps. Countless more are available for Android devices. But which are safe to use with students? And how can you be sure?
Fortunately, several tools have done the heavy lifting for educators and parents. Below are three resources you could use when considering whether an app is appropriate for students.
Common Sense Privacy Evaluations
Common Sense, a nonprofit education and advocacy organization, maintains a database that evaluates edtech tools on whether they are safe for use in schools.
The privacy evaluations are broken down into three tiers: blue (“Use Responsibly”), yellow (“Use with Caution”) and red (“Not Recommended”).
When establishing each rating, Common Sense’s privacy team considers federal and state privacy regulations as well as industry best practices. It’s all covered in the team’s 150-question rubric, which is used to assign a tier to each tool.
Since the project began in 2015, the privacy team has evaluated nearly 300 education apps. But that’s just the tip of the iceberg, Kelly tells EdSurge.
The team started by evaluating about 200 apps that school district leaders indicated as high priority—in other words, those that were most downloaded in the app store or that district leaders identified as most popular in their schools. “Some of these apps have millions of kids using them,” Kelly says. “That alone is a huge footprint.”
Common Sense recently began chipping away at the remaining 3,000 apps they identified, going in alphabetical order. Most of the ones that have been evaluated are outright educational apps. The ones they’ll be focusing on in the next year tend to be situated in the consumer space—think Angry Birds, Instagram and Pinterest, which are not intended for learning but are used widely by kids.
The team may never be able to provide an exhaustive list, not least because the privacy evaluations are incredibly time-intensive, Kelly explains. For each app, the team spends between eight and 16 hours reviewing it.
Of the 297 apps evaluated to date, the majority (187) earned a yellow “Use with Caution” badge.
Take Duolingo. The language-learning platform earned a yellow badge and received an overall score of 31 out of 100. That’s because Duolingo shares data for advertising or marketing purposes, displays behavioral or contextual advertisements and provides data to third-parties, according to Common Sense.
This is an important distinction, Kelly says. Just because a company does not have a clearly written policy does not mean that it is engaging in bad or questionable practices. At the same time, by not having a clear statement, the company implicitly assumes that users are okay should the company decide to do them.
Before publishing a company’s privacy evaluation, someone at Common Sense contacts the company to discuss what was found and “open up a dialogue,” Kelly says.
“If we want to raise the bar, we need to make sure these companies understand,” he says. “It’s very valuable information for them.”
Kelly has had many conversations with officials at companies that fall into the “Use with Caution” category, and what he’s noticed is that a lot of them aren’t writing certain practices, such as the selling of user data or behavioral advertising, into their privacy policies “because they feel it doesn’t apply to them,” he explains. “They’re asking, ‘Why do I need to talk about behavioral advertising if I don’t do it?’”
In a number of cases, Kelly adds, vendors have reached back out about a month after their initial conversation to say they’ve updated their policies to better reflect their practices. It’s a huge reason Common Sense is spending the time on this project, he says.
The privacy evaluations have been useful for educators, too. Common Sense meets with its 200 district partners every month and hears that many of them are using the evaluations in their procurement processes.
Another tool—though not specific to edtech—is AppCensus.
For example, ClassDojo, a classroom communication app, earned a badge from AppCensus for “transmitting sensitive data” on its app. ClassDojo requests permission to access users’ location, storage, microphone, camera and start silently (a setting that allows the app to start running when the device is turned on).
AppCensus determines whether an app transmits personal information or device identifiers, which are unique to each person and track behavior over time. Device IDs are very helpful for advertisers and analytics companies. The AppCensus tool also identifies the recipients of each app user’s data. In the case of ClassDojo, a relatively harmless example, data goes back to the company and to Google Crashlytics. In the case of Quizlet, data is sent to Facebook and Google ad services, according to AppCensus.
AppCensus has tested many of the same education apps reviewed by Common Sense (search for other app reports here). The catch with AppCensus is that, due to certain restrictions on iOS, AppCensus is only able to analyze Android apps.
Another privacy evaluation tool, created and maintained by Exodus, a French non-profit organization, is also limited to Android apps.
Exodus publicizes how many trackers—or software that collects data about users and their usage—and permissions are found in each app. For Duolingo, it found 15 trackers and 22 permissions, and for Schoology, a K-12 learning management system, it found three trackers and 11 permissions.
In each report, Exodus identifies where the trackers are coming from. Some common origins are ads and analytics services offered by Google and Facebook, along with other tools like Flurry, Inmobi and MixPanel.
None of the three aforementioned tools provide a perfect picture of an app’s data-sharing practices or privacy policies. The important thing, Kelly says, is that educators, parents and students use these tools as a gateway into greater awareness and control of their own data.
“Because this can happen invisibly,” he says, referring to the sharing and selling of user data, “those two big things—awareness and control over the collection and use of your information—are a good place to start.”